Kernel vs. Userspace versions

The released versions documented below are for the AppArmor userspace utils. The apparmor kernel module does not track versions the same way as it primarily track Linux kernel releases. In general the apparmor kernel module tries to support old versions of the apparmor userspace (at this time versions 2.1 - 2.10), and the apparmor userspace supports the current and previous releases of the kernel.

For new features to be supported, a version of the userspace utils and a kernel that supports the feature are required. If the apparmor userspace utils are too old they will fail to recognize the feature and policy compilation will fail. If the kernel version is to old either the apparmor utils will compile the policy to what is supported by the kernel, thus dropping the unsupported feature, or the kernel will ignore the unsupported feature, or the kernel will reject the policy load if it is for an abi it does not support.

AppArmor kernel module versions

There kernel module breaks down into several development epochs.

Pre LSM kernel patch. Not upstreamed and lost long ago.

apparmor 2.0: LSM rewrite.

apparmor 2.1: dfa & and invasive VFS hooks patch

apparmor 2.5: creds & LSM path hooks rewrite

apparmor 3: labeling - a development series that was a precursor to type splitting. Carried by Ubuntu but never upstreamed

AppArmor 2.8.0

Development target: incremental improvement over AppArmor 2.7.x, with more code cleanups and bug fixes to the userspace tools. Mount rules, and the start of a new introspection interface in the kernel.

AppArmor 2.4

In this version of AppArmor development of new features was largely halted and the kernel module was rewritten to use the new path_permission hooks provided by the LSM. This necessitated some changes to user space as well and some features were lost.

Features added

Profile names can now contain regular expressions allowing all profile to match against multiple binaries.

pux profile transitions so that x transitions can fall back to unconfined if a profile is not present

Better support of profile namespaces

Features lost

The ability for an unconfined process to arbitrarily set a tasks profile

AppArmor 2.1+ (Deprecated)

AppArmor 2.1+ is based on 2.1.1 plus some of the development for 2.3. Specifically it contains kernel and parser support for profile namespaces, link pairs, and file rules conditional upon user. The tools however do not support any of these features so they are of limited use.

AppArmor 2.1 SLES10SP2 release (Deprecated)

This is a back port of AppArmor 2.1 to SLES10SP2. It has the 2.1 feature set + a modified apparmor_parser capable of loading both older 2.0/2.0.1 (pcre based) policy and the newer 2.1 (dfa based) policy.